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VIRTUAL SMART CARD SYSTEM AND METHOD 



Field of the Invention 

5 The present invention is related to computer security, and more particularly to 

system and method for user authentication. 



Background Information 

As the world moves to a proliferation of internets, intranets and extranets, user 

10 authentication has become increasingly important. The most common authentication 

mechanism is a password. Static, user-selected passwords are inherently limited as 
protection devices, however, because of the relatively small number of bits of 
information they contain. In addition, users tend to select easy-to-guess passwords, 
thereby compromising the authentication process. 

1 5 One-time passwords overcome many of these limitations. In a one-time 

password system the password changes every time it is used. Instead of a static phrase, 
the system assigns a static mathematical function. The result is a "dynamic password." 

In one dynamic password system, the system provides an argument for the 
function and the user computes and returns the function value. This approach is termed 

20 "challenge/response." In challenge/response, a password generating device such as a 

token card receives a value from the system and computes a one-time password by 
plugging the value into a complex mathematical function. The one-time password is 
then transmitted to the system in order to authenticate the user. Challenge/response 
devices can be implemented in either hardware or software and are very effective for 

25 user authentication. 

Smart cards have also been proposed for user authentication. For instance, smart 
cards can be used to carry a user's identity securely and conveniently. In a typical smart 
card authentication system users approach a terminal and insert their smart cards into a 
smart card reader. The system queries the smart card through the smart card reader and 

30 performs a user authentication based, for instance, on a one-time password. 
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Public key cryptography promises an even more effective means of 
authenticating a user. In public key cryptography, cryptographic keys come in public 
key/private key pairs. The public key is used to encrypt while the private key is used to 
decrypt. 

5 The public key/private key pair is assigned to a user. The public key is used by 

others to encrypt data. The encrypted data can only be read by the owner of the 
corresponding private key. 

Authentication of a user through public key cryptography is straightforward. 
Under the Public Key Infrastructure (PKI), each user possesses a unique distinguished 
10 name. For example, a user, Alice, generates a unique distinguished name and a 

public/private key pair. The distinguished name is associated with Alice's public key 
via an X509 Certificate signed by the trusted Certificate Authority (CA). In such a 
system, Alice keeps her private key secret and publishes her certificate with the CA. 

Alice's public key is used to encrypt data so that only Alice, with her private 
15 key, can decrypt it. In a PKI-based system, a user wishing to communicate securely 

with Alice retrieves her certificate from the CA, obtains the associated public key and 
encrypts the communications with Alice's public key. 

In addition, Alice's private key can be used to produce a digital signature The 
digital signature verifies that Alice signed the data and maintains the integrity of the 
20 data being transferred. To verify the signature, the user retrieves Alice's certificate 

from the CA and processes the signature with the associated public key. 

The CA, therefore, is an integral part of the Public Key Infrastructure. 

To-date there has been no cohesive approach to public key authentication. 
Digital certificates can be used to standardize how identities, rights and privileges are 
25 assigned to users but, although server-side digital certificates are becoming common, 

there are few applications which supply certificate-based credentials to individual users. 
Directory services may provide standard, enterprise-wide storage for information about 
users and systems, but to-date, directory services are not widely deployed. Smart cards 
may become a ubiquitous medium for safeguarding and transporting a user's 
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credentials, but to-date, deployment costs and changing standards have slowed the 
deployment of smart cards for user authentication. 

What is needed is a system and method for user authentication which uses a 
smart card to supply certificate-based credentials to individual users. In addition, what 
5 is needed is a certificate-based authentication system which operates in conjunction 

with methods of user authentication such as token-based authentication, biometrics and 
simple passwords. 

Summary of the Tnvention 

10 According to one aspect of the present invention, a public key authentication 

system and method is described for use in a computer system having a plurality of users. 
The system includes a virtual smart card server, storage connected to the virtual smart 
card server, and a virtual smart card agent connected to the virtual smart card server. 
The storage includes a plurality of virtual smart cards, wherein each virtual smart card is 

1 5 associated with a user and wherein each smart card includes a private key. The virtual 

smart card agent authenticates the user and accesses the authenticated user's virtual 
smart card to obtain the user's private key. 

According to another aspect of the present invention, a system and method of 
authenticating users, including a first user, attempting to access a computer system is 

20 described. First and second keys are assigned to each user, wherein the first and second 

key form a public/private key pair. A digital certificate is issued to the first user, 
wherein the digital certificate is associated with the second key assigned to the first 
user. The user enters a one-time password and it is encrypted with the first key assigned 
to the first user to form an encrypted one-time password. The digital certificate issued 

25 to the first user is checked to verify that it was signed by a recognized certificate 

authority. The second key is then accessed via the digital certificate and the encrypted 
one-time password is decrypted with the second key to recover the one-time password. 
The one-time password is then compared against an expected one-time password. 
According to yet another aspect of the present invention, a public key 

30 authentication system and method is described for use in a computer system having a 
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plurality of users. The system includes an authentication server, a directory service 
connected to the authentication server and a host system. The directory service includes 
a plurality of public keys, wherein each public key is associated with a unique user 
identifier. The host system includes a public key authentication client and an interface 

5 to a smart-card-enabled application, wherein the public key authentication client is 

connected to the authentication server. The public key authentication client receives a 
challenge issued by the authentication server, signs the challenge with a digital 
signature representing a user and sends the digital signature of the challenge back to the 
authentication server. The authentication server receives the digital signature of the 

1 0 challenge and verifies the digital signature with a public key retrieved from the directory 

service. 



Rrief Description of the Drawings 
In the following drawings, where the same number reflects similar function in 
1 5 each of the drawings, 

Figs, la and lb illustrate public key authentication systems according to the 
present invention; 

Fig. 2 illustrates a method of authenticating a user according to the present 
invention; and 

20 Fig. 3 illustrates another embodiment of a public key authentication system. 

Description of the Prefer red Embodiments 
In the following detailed description of the preferred embodiments, reference is 
made to the accompanying drawings which form a part hereof, and in which is shown 
25 by way of illustration specific embodiments in which the invention may be practiced. It 

is to be understood that other embodiments may be utilized and structural changes may 
be made without departing from the scope of the present invention. 

In an ideal world, a user's private key is generated on a secure device, such as a 
smart card, and is never exposed outside of that device. Even the owner has no physical 
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access to his or her private key; only the public key leaves the device. Unfortunately, 

the world is not yet ideal. 

Until smart cards become ubiquitous, private keys are vulnerable. Today, 

private keys are stored directly on the user's hard disk, protected by a simple password. 
5 The password is vulnerable to any number of well known password guessing attacks. 

Strong, two-factor authentication is needed to thwart these attacks. PKI-based public 

key authentication provides one potential solution to this problem. 

As smart cards are deployed, a PKI-based public key authentication that is both 

portable and secure becomes possible. The user's private key is stored on the card. It is 
10 secured by a PIN, is never exposed outside the card, and the card is portable. A user 

proves his identity by presenting something he has (i.e., the card with its private key) 

and something he knows (i.e., the card's PIN). 

Migration to public key authentication will, however, be evolutionary, not 

revolutionary. It won't happen overnight. There are two major obstacles to client-side 
15 PKI deployment: (1) smart card readers have not been deployed; and (2) disk-resident 

private keys are vulnerable to attack. In addition, the technological models don't 

always fit the current business and social models. As these issues and others resolve 

themselves, networks will continue to grow and so will the need for PKI-based 

authentications systems. In the meantime, what is needed is a public key authentication 
20 system which is secure and portable, but which can operate without smart cards. Such 

systems are shown in Figs, la and lb. 

Public key authentication systems 10 for use in a computer system having a 

plurality of users are shown in Figs, la and lb. Public key authentication systems 10 of 

Figs, la and lb offer network accessible smart card services through emulated interfaces 
25 to smart-card-enabled applications without requiring a local smart card reader. Private 

keys are securely stored on a virtual smart card server, not on the user's local disk. In 

one embodiment, access to the server is limited to users who provide a correct one-time 

password. 

Public key authentication systems 10 of Figs, la and lb include virtual smart 
30 card (VSC) server 12, VSC storage 14, public key application 16, VSC agent 18 and 
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authentication server 20. VSC storage 14 includes a plurality of virtual smart cards, 
wherein each virtual smart card is associated with a user and wherein each smart card 
includes a private key. In one embodiment, communication between server 12 and 
agent 18 occurs over an agent-server message transport layer as will be described below. 
5 Virtual smart card agent 1 8 authenticates the user and accesses the authenticated 

user's virtual smart card to obtain the user's private key. In one embodiment, VSC 
agent 18 emulates PKCS 1 1 and Crypto API interfaces to smart-card-enabled 
applications. In one such embodiment, PKCS 1 1 and Crypto API function calls are 
mapped into agent-server messages and forwarded to VSC server 12. The actual 

10 processing corresponding to each function call is remotely executed on server 12. This 

allows applications to access signing and encryption functions without exposing the 
user's private key outside of server 12. 

Before VSC agent 18 can successfully access a user's private key or other virtual 
smart card data, the user must be authenticated. In one embodiment, authentication is 

15 accomplished through any of the one-time password mechanisms described above. For 

instance, in one embodiment, authentication is accomplished within agent 18 by means 
of a one-time password. One way of generating a one-time password is through the use 
of a standard authentication token (such as the Safe Word® token available from Secure 
Computing Corporation, San Jose, California). 

20 In one embodiment, system 10 provides secure storage of private keys, network 

accessible signing and key generation functions (without exposing the actual keys), and 
access to private keys through one-time-password authentication. 

In one such embodiment, VSC server 12 maintains in VCS storage 14 a local 
database of virtual smart cards and associations between users and these virtual smart 

25 cards. Multiple smart cards may be associated with a single user. The private keys 

owned by a user are stored in the server's database and are never exposed outside of the 
server. The server supplies encryption, signing, and key management functions which 
are called remotely from VSC agent 18's PKCS 1 1 and Crypto API emulations. As 
noted above, however, access to server 12 is granted only if the user is first 
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authenticated through a one-time password authentication procedure (such as 
authentication through a standard token). 

In one embodiment, communication between server 12 and agent 18 occurs over 
an agent-server message transport layer 22. In one such embodiment, VSC agent 18 
5 maps PKCS 1 1 and CryptoAPI function calls, function parameters, and return values 

into messages that are exchanged between agent 18 and VSC server 12. In one 
embodiment, these messages are transported over a secure TCP/IP session. 

In one embodiment, server 12 performs the requested function on behalf of agent 
18 and returns the result to agent 18. In one such embodiment, messaging between 
10 server 12 and agent 18 continues until a particular operation has concluded successfully. 

In one such embodiment, this operation is performed through an SSL connection to a 
secured web site. 

In one embodiment, authentication server 20 validates the end user's one-time- 
password before he or she is granted access to any virtual smart card services. In one 

15 such embodiment, such as is shown in Fig. la, agent 18 accesses authentication server 

20 over transport 22. In another embodiment, such as is shown in Fig. lb, agent 18 
accesses authentication server 20 directly or over a network connection. 

Public key authentication system 10 provides two-factor authentication and 
allows the user to transport his or her private key and other smart card data from system 

20 to system without the added cost and complexity of deploying smart cards and smart 

card readers. This enables immediate deployment of smart card aware applications 
while minimizing the risk of premature commitment to a particular smart card vendor. 
Where one-time password tokens such as Safe Word® tokens are already deployed, it 
provides a clear migration path from tokens to public key authentication. 

25 Public key authentication system 10, therefore, builds upon the success of one- 

time password-based authentication systems, while providing a clear evolutionary path 
to a PKI-based authentication system. One-time password-based systems are deployed 
and working right now. In addition to authentication services, systems such as the 
Safe Word® system provide a central point of administration, authorization and access- 
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control features, and audit logs. Such systems, therefore, are ideal platforms from 
which to integrate PKI-based authentication into existing networks. 

A public key authentication system such as system 10 positively identifies the 
owner of a private key and the associated public-key certificate and implements strong, 
5 two-factor authentication to protect system 10 from fraudulent access by an agent who 

steals a user's private key. An example of the use of system 10 to authenticate a user is 
shown in Fig. 2. In Fig. 2, the user is Bob. In one embodiment of system 10, Bob has, 
on his local disk, both a private key protected by a simple password, and a digital 
certificate issued by a certificate authority known to system 10. The digital certificate 
10 contains Bob's public key, and possibly other identifying information (e.g., his user ID 

for the system he is logging in to, or his access rights and privileges for that system). 

As is shown in Fig. 2, Bob presents his credentials in two parts. First, at 30, Bob 
presents his digital certificate signed by a certificate authority known to system 10. 
Next Bob presents, at 32, a one-time-password (generated, for example, by a standard 
15 SafeWord® token). When the password is sent, it is digitally signed with the private 

key stored on Bob's hard disk. 

System 10 first validates Bob's digital certificate by verifying that it was signed 
by a recognized certificate authority. Ifthe certificate was properly signed, Bob's 
public key is extracted and used to verify the signature of the one-time-password. Ifthe 
20 signature is valid, Bob's one-time-password is validated against the system 10's 

database. Assuming these three steps are successful, Bob's is "authenticated" and 
granted access to the host system. 

In one embodiment, Bob does not physically possess his certificate. For 
instance, it might be located in a directory service of which system 10 is aware. Bob's 
25 private key would, however, remain located on the hard disk. 

In another embodiment, Bob's certificate can be revoked at any time by placing 
the appropriate entry in a CRL known to system 10. 

Finally, although Fig. 2 illustrates event-synchronous authentication of the one- 
time-password, system 10 can be designed to also support challenge-response 
30 authentication. 
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The previous section has shown how to protect vulnerable, disk-resident private 
keys with one-time-password technology. When private keys and digital certificates are 
stored on the user's local disk, simple password protection is not adequate. System 10's 
strong, two-factor authentication enables deployment of off-the-shelf, certificate-based 
5 PKI solutions today, while avoiding the cost and risk of deploying smart cards and 

smart card readers. 

As smart cards are deployed, however, true two-factor authentication becomes 
possible. The user's secret key is stored on the card. It is secured by a PIN, is never 
exposed outside the card, and is portable. A user proves his identity by presenting 

1 0 something he has— the card with its private key— and something he knows— the card 5 s 

PIN. In the emerging public-key world, however, multiple forms of authentication will 
coexist. Certificate-based authentication will become increasingly important, but token- 
based authentication, biometrics, and simple passwords will often be deployed 
alongside PKI systems. 

1 5 One embodiment of a system capable of handling each of these forms of 

authentication is shown in Fig. 3. In the embodiment of public key authentication 
system 10 shown in Fig. 3, system 10 directly supports public key authentication with 
smart cards while, at the same time, supporting other authentication devices — tokens, 
biometrics, simple passwords. 

20 In the one embodiment, the principal components of this architecture are the 

public key client 40, the authentication server 42, and an LDAP compliant directory 
service 44. In the embodiment shown in Fig. 3, public key client 40 resides within host 
system 38. 

In one such embodiment, public key client 40 is installed into the login process 
25 of host computer 38. It is analogous to the symmetric key clients shipped with one-time 

password-based systems such as the Safe Word® system. During login, client 40 
connects to authentication server 42. Client 40 digitally signs a challenge issued by 
server 42 with the user's private key via either a PKCS 1 1 or CryptoAPI interface, and 
returns the response to server 42. 
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If server 42 successfully authenticates the user, additional access-control and 
authorization information may be returned from server 42 to client 40. Client 40 then 
applies this information during the remainder of the login process. 

In one embodiment, server 42 generates, during an authentication session, a 
5 pseudo-random challenge toward client 40, retrieves the user's public key from LDAP 

compatible directory 44, and waits for a response. The response is expected to be a 
digital signature of the challenge. Upon receipt of the response, server 42 verifies the 
digital signature with the user's public key. 

Because directory services are not yet widely deployed, public keys may also be 
10 stored directly into a user database 48 accessible by server 42. 

In one embodiment, server 42 is CRL-aware, and can, therefore, verify that the 
user's identity certificate has not been revoked. 

In addition to authentication functions, in one embodiment server 42 also 
provides access-control, auditing, and accounting functions for public-key 
15 authentication events. These functions may be fully integrated with those provided for 

other authentication methods — tokens, biometrics, simple passwords. 

System 10 supports a number of well-know LDAP directory services. Identity 
certificates containing the public key(s) for a particular user may be stored there. These 
certificates may be generated by a third party PKI system, or by a certificate issuance 
20 system (not shown) integral to system 10. 

In addition, directory service 44 may contain one or more CRLs of which system 
10 is aware. These CRLs may, for example, originate from third-party PKI systems. 

Within a given enterprise, multiple authentication technologies will likely be 
deployed. Newly installed systems may be public-key based. Legacy systems may 
25 continue to use token-based authentication. In addition, biometrics may be deployed in 

certain areas. Finally, systems with minimal security requirements may continue to use 
a simple password. 

In one embodiment, system 10 allows a user to present different types of 
authentication credentials depending on his or her point of access. For example, a smart 
30 card may be required to access a secure server containing sensitive financial data, yet 
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only a fixed password may be required to access the company phone book from a WEB 
browser. 

In addition, system 10 enables the system administrator to manage diverse 
authentication technologies from a common management platform. It provides the 
5 following management functions for all supported authentication methods: User 

Administration, Role-based Access Control and Audit Logs. 

PKI specifications do not directly address authorization and access control. 
Authorization and access control are, however, necessary components in any public key 
authentication scheme. 

10 In one embodiment, system 10 provides a single point of user administration. In 

one such embodiment, user accounts are created, modified, and deleted from the 
management console. In addition, individual user's are granted access to multiple 
systems deleted from the same management console. In the event that a user leaves to 
company or is terminated, his or her access rights to all systems in the enterprise can be 

1 5 immediately revoked. 

CRL issuance is slow, does not provide for immediate revocation of a user's 
access privileges, and does not address non-public-key authentication technologies. 
System 10, through its authentication servers (20 and 42) provides a single point from 
which to revoke a user's access privileges across an entire enterprise, for all points of 

20 authentication. 

In one embodiment, role-based access control is supported across all types of 
authentication. A role defines a set of access rights and privileges. Each user is 
assigned to one or more roles. For example, members of the role "Managers" might be 
granted access to personnel files, while members of the role "Clerks" cannot access 

25 personnel files, but may access an order-entry system. By modifying the attributes of a 

role, the administrator may quickly change rights and privileges of a collection of users. 

Auditing of authentication events is a vital part of managing secure networks. 
PKI specifications do not, however, directly address enterprise- wide audit and 
accounting needs. System 10 is uniquely positioned to integrate auditing information 

30 from all authentication technologies within an enterprise. In one embodiment, every 
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authentication attempt and result within system 10 is logged for subsequent accounting 
and auditing purposes. In one embodiment, system 10 integrates the audit information 
from all forms of authentication across the entire enterprise into comprehensive, easily 
reviewed audit logs. 

5 A public key authentication system such as system 10 builds upon the success of 

token-based one-time password systems, while providing a migration path to the PKI- 
based authentication systems of the future. As system such as system 10 provides not 
only authentication services, but also it provides a central point of administration, 
authorization and access-control features, and audit logs. 

10 A system such as system 10 addresses the deficiencies of non-smart-card based 

PKI systems while maintaining the benefits of public key authentication. As noted in 
the Background, disk-resident private keys are vulnerable. System 10 protects those 
keys using one-time password, technology. In addition, although smart cards will 
eventually house a user's private key, deployment of such cards will be slow due start- 

15 up costs and technological risks. System 10 facilitates the deployment of secure, virtual 

smart card services today, without the need to deploy smart cards and readers. 

Furthermore, smart cards, once deployed, provide strong, two-factor, public-key 
authentication. System 10 directly supports smart-card based authentication. 

Finally, public key technology will not be the only form of user authentication in 

20 a typical enterprise. Hardware and software tokens, biometrics, and simple passwords 

will continue to be deployed as well. System 10 integrates management of all of these 
technologies, providing a common platform for user administration, role-based access 
control, auditing across the enterprise. 

Although specific embodiments have been illustrated and described herein, it 

25 will be appreciated by those of ordinary skill in the art that any arrangement which is 

calculated to achieve the same purpose may be substituted for the specific embodiment 
shown. This application is intended to cover any adaptations or variations of the present 
invention. Therefore, it is intended that this invention be limited only by the claims and 
the equivalents thereof. 
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What is claimed is: 

1 . A public key authentication system for use in a computer system having a 
plurality of users, the system comprising: 

a virtual smart card server; 
5 storage connected to the virtual smart card server, wherein the storage includes a 

plurality of virtual smart cards, wherein each virtual smart card is associated with a user 
and wherein each smart card includes a private key; and 

a virtual smart card agent connected to the virtual smart card server, wherein the 
virtual smart card agent authenticates the user and accesses the authenticated user's 
10 virtual smart card to obtain the user's private key. 

2. The public key authentication system according to claim 1 , wherein the virtual 
smart card agent includes an interface to a smart-card-enabled application. 

15 3. The public key authentication system according to claim 2, wherein the virtual 

smart card server performs encryption in response to a remote call from the interface. 

4. The public key authentication system according to claim 2, wherein the virtual 
smart card server performs signing in response to a remote call from the interface. 

20 

5. The public key authentication system according to claim 2, wherein the virtual 
smart card server performs key management functions in response to a remote call from 
the interface. 



25 6. The public key authentication system according to claim 1, wherein the public 

key authentication system further includes an authentication server connected to the 
virtual smart card agent and wherein the virtual smart card agent authenticates the user 
through interaction with the authentication server. 
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7. The public key authentication system according to claim 1, wherein the public 
key authentication system further includes an authentication server connected to the 
virtual smart card server and wherein the virtual smart card agent authenticates the user 
through interaction with the authentication server. 

5 

8. The public key authentication system according to claim 1 , wherein the virtual 
smart card agent communicates with the virtual smart card server over an agent-server 
transport layer. 

10 9. The public key authentication system according to claim 1 , wherein the virtual 

smart card agent communicates with the virtual smart card server over a secure TCP/IP 
session. 



10. A method of authenticating users, including a first user, attempting to access a 
1 5 computer system, the method comprising : 

assigning first and second keys to each user, wherein the first and second key 
form a public/private key pair; 

issuing a digital certificate to the first user, wherein the digital certificate is 
associated with the second key assigned to the first user; 
20 entering a one-time password; 

encrypting the one-time password with the first key assigned to the first user to 
form an encrypted one-time password; 

verifying that the digital certificate issued to the first user was signed by a 
recognized certificate authority; 
25 accessing, via the digital certificate, the second key assigned to the first user; 

decrypting the encrypted one-time password with the second key associated with 
the digital certificate to recover the one-time password; and 

comparing the one-time password against an expected one-time password. 
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11. The method according to claim 10, wherein the first key is a private key and the 
second key is a public key. 

12. The method according to claim 10, wherein verifying that the digital certificate 
5 issued to the first user was signed by a recognized certificate authority includes 

accessing a CRL to determine if the certificate has been revoked. 

13. A computer-readable medium comprising program code which executes the 
method of claim 10. 

10 

14. A public key authentication system for use in a computer system having a 
plurality of users, the system comprising: 

an authentication server; 

a directory service connected to the authentication server, wherein the directory 
15 service includes a plurality of public keys, wherein each public key is associated with a 

unique user identifier; and 

a host system, wherein the host system includes a public key authentication 
client and an interface to a smart-card-enabled application, wherein the public key 
authentication client is connected to the authentication server; 
20 wherein the public key authentication client receives a challenge issued by the 

authentication server, signs the challenge with a digital signature representing a user and 
sends the digital signature of the challenge back to the authentication server; and 

wherein the authentication server receives the digital signature of the challenge 
and verifies the digital signature with a public key retrieved from the directory service. 

25 

15. The public key authentication system according to claim 14, wherein the 
authentication server includes role-based access control. 

16. The public key authentication system according to claim 14, wherein the 
30 authentication server includes automatic logging of authentication attempts. 
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VIRTUAL SMART CARD SYSTEM AND METHOD 



Abstract of the Disclosure 



A public key authentication system and method for use in a computer system 
having a plurality of users. The system includes a virtual smart card server, storage 
connected to the virtual smart card server, and a virtual smart card agent connected to 
the virtual smart card server. The storage includes a plurality of virtual smart cards, 
wherein each virtual smart card is associated with a user and wherein each smart card 
includes a private key. The virtual smart card agent authenticates the user and accesses 
the authenticated user's virtual smart card to obtain the user's private key. 



I hereby certify that this paper or fee is being deposited with the United States Postal Service "Express Mail Post 
Office to Addressee" service under 37 C.F.R. 1. 10 on the date indicated below and is addressed to the Assistant 
Commissioner for Patents, Attn: Box Patent Application, Washington, D. C. 20231. 
"Express Mail" mailing label number E ^1 f ^ 6 ^ ST U $ 

Date of Deposit *$ef)1~e4*i h tL- 3 / ??J 
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Attorney Docket No. 105.163US1 

SCHWEGMAN, LUNDBERG, WOESSNER & KLUTH, P.A. 

United States Patent Application 

COMBINED DECLARATION AND POWER OF ATTORNEY 

As a below named inventor I hereby declare that: my residence, post office address and citizenship are as 
stated below next to my name; that 

I verily believe I am the original, first and joint inventor of the subject matter which is claimed and for which 
a patent is sought on the invention entitled: VTRTITAT, SMART CARD SYSTEM A NP MKTHQP. 

The specification of which is attached hereto. 

I hereby state that I have reviewed and understand the contents of the above-identified specification, including 
the claims, as amended by any amendment referred to above. 

I acknowledge the duty to disclose information which is material to the patentability of this application in 
accordance with 37 C.F.R. § 1.56 (attached hereto). I also acknowledge my duty to disclose all information known to 
be material to patentability which became available between a filing date of a prior application and the national or 
PCT international filing date in the event this is a Continuation-In-Part application in accordance with 37 C.F.R. 
||.63(e). 

S I hereby claim foreign priority benefits under 35 U.S.C. §119(a)-(d) or 365(b) of any foreign application(s) for 
patent or inventor's certificate, or 365(a) of any PCT international application which designated at least one country 
iher than the United States of America, listed below and have also identified below any foreign application for 
patent or inventor's certificate having a filing date before that of the application on the basis of which priority is 
claimed: 

lio such claim for priority is being made at this time. 

3 I hereby claim the benefit under 35 U.S.C. § 1 19(e) of any United States provisional applications) listed 



: Hi 



No such claim for priority is being made at this time. 

I hereby claim the benefit under 35 U.S.C. § 120 or 365(c) of any United States and PCT international 
application(s) listed below and, insofar as the subject matter of each of the claims of this application is not ^sclosed 
in the prior United States or PCT international application in the manner provided by the first paragraph ot 35 U.S.C. 
8 112 1 acknowledge the duty to disclose material information as defined in 37 C.F.R. § 1 .56(a) which became 
available between the filing date of the prior application and the national or PCT international filing date of this 
application: 

No such claim for priority is being made at this time. 
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I hereby appoint the following attomey(s) and/or patent agent(s) to prosecute this application and to transact 
all business in the Patent and Trademark Office connected herewith: 



Adams, Gregory J. Reg. No. P-44,494 

Adams, Matthew W. Reg. No. 43,459 

Anglin, J. Michael Reg. No. 24,916 

Arora, Suneel Reg. No. 42,267 

Bianchi, Timothy E. Reg. No. 39,610 

Billion, Richard E. Reg. No. 32,836 

Black, David W. Reg. No. 42,331 

Brennan, Thomas F. Reg. No. 35,075 

Brooks, Edward J., Ill Reg. No. 40,925 

Chu, Dinh CP. Reg. No. 41,676 

Clark, Barbara J. Reg. No. 38,107 

Dahl, John M. Reg. No. P-44,639 

Drake, Eduardo E. Reg. No. 40,594 

Eliseeva, Maria M. Reg. No. 43,328 

Embretson, Janet E. Reg. No. 39,665 

Fogg, David N. Reg. No. 35,138 

Fordenbacher, Paul J. Reg. No. 42,546 



Forrest, Bradley A. Reg. No. 30,837 

Harris, Robert J. Reg. No. 37,346 

Huebsch, Joseph C. Reg. No. 42,673 

Jurkovich, Patti J. Reg. No. P-44,8 1 3 

Kalis, Janal M. Reg. No. 37,650 

Kaufmann, John D. Reg. No. 24,01 7 

Klima-Silberg, Catherine I. Reg. No. 40,052 

Kluth, Daniel J. Reg. No. 32, 146 

Lacy, Rodney L. Reg. No. 4 1 ,1 36 

Leffert, Thomas W. Reg. No. 40,697 

Lemaire, Charles A. Reg. No. 36,198 

Litman, Mark A. Reg. No. 26,390 

Lundberg, Steven W. Reg. No. 30,568 

Mack, Lisa K. Reg. No. 42,825 

Maki, Peter C. Reg. No. 42,832 

Malen, Peter L. Reg. No. P-44,894 

Mates, Robert E. Reg. No. 35,271 



McCrackin, Ann M. Reg. No. 42,858 

Nama, Kash Reg. No. 44,255 

Nelson, Albin J. Reg. No. 28,650 

Nielsen, Walter W. Reg. No. 25,539 

Oh, Allen J. Reg. No. 42,047 

Padys, Danny J. Reg. No. 35,635 

Parker, J. Kevin Reg. No. 33,024 

Peacock, Gregg A. Reg. No. P-45,001 

Polglaze, Daniel J. Reg. No. 39,801 

Prout, William F. Reg. No. 33,995 

Schwegman, Micheal L. Reg. No. 25,8 1 6 

Sieffert, Kent J. Reg. No. 41,312 

Slifer, Russell D. Reg. No. 39,838 

Steffey, Charles E. Reg. No. 25,179 

Terry, KathleenR. Reg. No. 31,884 

Viksnins, Ann S. Reg. No. 37,748 

Woessner, Warren D. Reg. No. 30,440 



I hereby authorize them to act and rely on instructions from and communicate directly with the person/assignee/attomey/ 
fyn/organization/who/whic^ first sends/sent this case to them and by whom/which I hereby declare that I have consented after full 
(f&losure to be represented unless/until I instruct Schwegman, Lundberg, Woessner & Kluth, P.A. to the contrary. 
iSase direct all correspondence in this case to Schwegman, Lundberg, Woessner & Kluth, P.A. at the address indicated below: 
~~ P.O. Box 2938, Minneapolis, MN 55402 

£ Telephone No. (612)373-6900 

i 1 hereby declare that all statements m ade herein of my own knowledge are true and that all statements made on ^formation and 

statements may jeopardize the validity of the application or any patent issued thereon. 



jhjll Name of joint inventor number 1 : Lawrence Smith 
citizenship: United States of America 

Mst Office Address: 3620 ConcoTd Blvd. 

dl Concord, CA 94519 



Residence: Concord, CA 



Signature: 



Date: 



Lawrence Smith 



Full Name of joint inventor number 2 : ttichard Levenberg 

Citizenship: United States of America Residence: Lafayette, 

Post Office Address: 3346 Helen Lane 

Lafayette, CA 94549 
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§ 1.56 Duty to disclose information material to patentability. 

(a) A patent by its very nature is affected with a public interest. The public interest is best served, and the most effective patent 
examination occurs when, at the time an application is being examined, the Office is aware of and evaluates the teachings of all information 
material to patentability. Each individual associated with the filing and prosecution of a patent application has a duty of candor and good 
faith in dealing with the Office, which includes a duty to disclose to the Office all information known to that individua to be material to 
patentability as defined in this section. The duty to disclose information exists with respect to each pending claim until the claim is canceled 
or withdrawn from consideration, or the application becomes abandoned. Information material to the patentability of a claim that is canceled 
or withdrawn from consideration need not be submitted if the information is not material to the patentability of any claim remaining under 
consideration in the application. There is no duty to submit information which is not material to the patentability of any existing claim. The 
duty to disclose all information known to be material to patentability is deemed to be satisfied if aU information known to bcr materud to 
patentability of any claim issued in apatent was cited by the Office or submitted to the Office in the manner prescribed by §§ ^Md) 
and 1 98 However no patent will be granted on an application in connection with which fraud on ihe Office was practiced or attempted or 
the duty of disclosure was violated through bad faith or intentional misconduct. The Office encourages applicants to carefully examine: 

(1) prior art cited in search reports of a foreign patent office in a counterpart application, and 

(2) the closest information over which individuals associated with the filing or prosecution of a patent application believe any 
pending claim patentably defines, to make sure that any material information contained therein is disclosed to the Office. 

0(b) Under this section, information is material to patentability when it is not cumulative to information already of record or being 
rMde of record in the application, and 

S (1) It establishes, by itself or in combination with other information, a prima facie case of unpatentability of a claim; or 

ill (2) It refutes, or is inconsistent with, a position the applicant takes in: 

q (i) Opposing an argument of unpatentability relied on by the Office, or 

f =4 (ii) Asserting an argument of patentability. 

f nrima facie case of unpatentability is established when the information compels a conclusion that a claim is unpatentable under the 
I^ ^ SSSk)! standard, giving each term in the claim its broadest reasonable construction consisten with the 
oS^coSdSon is given to fvidence which may be submitted in an attempt to establish a contrary conclusion of 

'patentability. 

* (c) Individuals associated with the filing or prosecution of a patent application within the meaning of this section are: 

( 1 ) Each inventor named in the application: 

(2) Each attorney or agent who prepares or prosecutes the application; and 

(3) Every other person who is substantively involved in the preparation or prosecution of the application and who is associated 
with the inventor, with the assignee or with anyone to whom there is an obligation to assign the application. 

(d) Individuals other than the attorney, agent or inventor may comply with this section by disclosing information to the attorney, 
agent, or inventor. 



